Developers using Firebase urged to check configuration after leak exposed

App development companies using Google’s Firebase tool have been warned to urgently check their configuration, as researchers from Comparitech found thousands of apps leaking personal information.

Firebase, a data storage solution for apps, is used by an estimated 30% of all apps on the Google Play store – and data from Comparitech’s study released today indicates that 4.8% of apps using Firebase are ‘not properly secured’.

This could potentially allow threat actors access to personally identifiable information, access tokens, and other data without a password or authentication.

“Comparitech’s security research team led by Bob Diachenko examined 515,735 Android apps, which comprise about 18% of all apps on Google Play,” says Comparitech tech writer Paul Bischoff in a blog post on the Comparitech website.

“In that sample, we found more than 4,282 apps leaking sensitive information. If we extrapolate those figures, an estimated 0.83% of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total.”

Further research found that vulnerable applications have been installed 4.22 billion times by Android users.

Email addresses were the most exposed asset, followed by usernames, passwords, phone numbers, and full names.

Comparitech reported that games were app category with the highest number of vulnerable apps, followed by education and entertainment.

Of the 155,066 Firebase apps analysed, 11,730 had publicly exposed databases, according to Comparitech.

9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

If granted this access, attackers could use the information to inject nefarious data into an app, scam users, spread malware or corrupt the app database.

Comparitech then took the findings to Google. In response, a Google spokesperson said:

“Firebase provides a number of features that help our developers configure their deployments securely.

“We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them.

“We are reaching out to affected developers to help them address these issues.”

Comparitech exploited a common misconfiguration in an app’s resources to gain access to its stored data.

If the database is publicly exposed, attackers could simply add ‘.json’ to the end of a URL belonging to an app which uses Firebase – and this request will return the full contents of the database.

“Some of the databases were too large for one download request, so researchers used a ‘shallow’ keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk,” says Bischoff.